In this post, I'm going to use information security, cyber security, and infosec interchangably. It all means the same thing here: how secure is your data and users?
No Code's Dirty Secret
There's almost no infosec in No Code. It's bad and I don't want to understate this. It's easy to see why.
- The majority of nocode developers have no experience with infosec.
- They aren't true developers, so aren't familiar with data encryption and data in transit.
- Users and clients don't follow basic security practices.
- No Code platforms lack specific security features like serverside API calls and row-level security.
What does this mean?
There are a lot of No Code apps that aren't secure. They're leaking data in transit and are likely vulnerable to attacks. Users won't see this but a developer could expose sensitive information if they wanted to.
Has this happened before?
Not that I'm aware of but it's unlikely we'd know because:
- Small No Code projects aren't likely to be targeted. There's not much value in hacking someone's weekend project.
- If they were hacked, founders and startups wouldn't share the news.
- Platforms aren't open and transparent about this. No one is going to air their dirty laundry.
This begs the question, are the applications Flywheel Studio develops secure?
How Flywheel Studio Handles InfoSec
First, let me start with the statement that we take infosec seriously, hence the entire point of writing an article about something no one else is talking about.
Our team takes the following measures to ensure we're secure:
- Complex passwords and password managers. Everyone is on +16 digit random passwords for all systems.
- Encrypted systems. All our IT is encrypted, ensuring if a team member's personal device was stolen, client data would be secure.
- Siloed data sharing with permissions. We don't share data with team members that don't need it. We add and remove team members from databases and projects as necessary, limiting their access to user and project data.
We develop software applications using:
- Google Cloud
FlutterFlow never actually has user or customer data, it's the front-end tool accessing it. Firebase, Google Cloud, and Supabase are our sensitive systems. The following are basic measures we take for all applications to ensure data and users are secure.
- Data is encrypted at rest. This means your database is secured when it's not being used.
- We use Firebase's Security Rules and Supabase's Row Level Security to ensure authenticated users can only access information relevant to them.
- Through Google Cloud and Supabase, we use serverside API calls for sensitive data transmission.
I'm not technical, what does this mean?
- Data is encrypted when it's stored
- Data is encrypted when it's being moved
- Users can only access their data
- Project data is shared on a limited "need to know basis"
What about super secure information?
We don't mess with it! Seriously, we don't want it, and neither should you. We don't store payment information or user passwords for other applications.
Stripe handles all payment information and we store non-sensitive information like transaction IDs or a customer's Stripe ID, but never their card number or account numbers.
If users log into other platforms or services, like Facebook or Instagram, we don't save user's passwords or ever have access to that information. They'll log into those platforms directly and we'll receive a secure ID and token on the backend allowing us access without having their credentials.
We also use Plaid to securely connect to users' bank accounts. Users will log in directly to their bank through Plaid and we'll receive a secure token to receive their information which is then encrypted. We'll never have the user's username or password for their accounts.
This is where it gets serious because, at the end of the day, the owners of the application are the most susceptible point and also the responsible party.
You should take the same information security considerations we take:
- Complex passwords, frequently changed. Do not share passwords or accounts.
- Encrypt your devices (phone and laptop).
- Limit project access. Don't add team members to your database that don't need access!
- Make sure your team is familiar with basic information security protocols and risks, like phishing.
If I do all this am I safe?
Unfortunately, information security is never a job that's done. We always have to be on our guard and improve. By performing these steps you'll be an extremely difficult target and if you were to be compromised, the data loss should be minimized.
Wondering if your software is secure?
Contact us and let's have a chat! We're happy to review applications and help you determine if you're using information security best practices or not.
At the end of the day, infosec isn't a zero sum game. We work with platforms, partners, clients, and competitors to ensure everyone is leveling up their policies and procedures because a safer No Code community is better for all of us.